OpenOffice.org has fixed a critical flaw in its suite's database engine that attackers could use to hijack a computer.
The bug in HSQLDB, a lightweight, all-Java SQL database engine, can be used to force OpenOffice to execute Java code planted in a rigged database document, said Danish vulnerability tracker Secunia in an alert posted Wednesday. OpenOffice.org also posted an advisory on the bug, and the project's organisers urged customers to update to 2.3.1 as soon as possible.
Versions of the free application suite prior to the just-released 2.3.1 are vulnerable, added Secunia. The refreshed edition can be downloaded from the OpenOffice.org website in versions for Windows, Linux and Solaris.
The open-source project's organisers had patched the suite as recently as September, when flaws in how it handles TIFF image files were disclosed. According to Secunia, OpenOffice.org has plugged five security holes so far this year.
The suite is most popular on Linux but is also used as an alternative to Microsoft’s Office and other for-a-fee bundles.
OpenOffice.org is shooting for a March 2008 delivery date for the next major upgrade, dubbed 2.4.